#!/bin/bash
clear
RED="\033[31m"    # Error message
GREEN="\033[32m"  # Success message
YELLOW="\033[33m" # Warning message
BLUE="\033[36m"   # Info message
RESET='\033[0m'

if [ "$EUID" -ne 0 ]; then
  echo -e "${RED} Anda tiada kebenaran untuk menjalankan skrip ini! ${RESET}"
  exit 1
fi

hostAddr=$(cat /usr/local/.environment | grep -w 'DOMAIN' | cut -d '=' -f 2 | head -n 1)
emailAddr=$(cat /usr/local/.environment | grep -w 'EMAIL' | cut -d '=' -f 2 | head -n 1)
nginx_service=$(systemctl is-active squid.service)

apt-get -qq update
apt-get -y install nginx

if [[ $nginx_service == 'active' ]]; then
  systemctl stop nginx
fi

cat >/etc/nginx/conf.d/cloudflare.conf <<-EOF
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;

set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;

real_ip_header CF-Connecting-IP;
EOF

apt-get -y -qq install certbot
apt-get -y -qq install python3-certbot
apt-get -y -qq install python3-certbot-nginx

certbot --non-interactive --agree-tos --email $emailAddr --nginx -d $hostAddr
echo '10 11 * * *   root /usr/bin/certbot renew >/dev/null 2>&1' >>/etc/crontab

sleep 3
if [[ ! -f /etc/nginx/nginx.conf.bak ]]; then
  cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
fi

echo 'user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 1024;
}

http {
  log_format  main  \'$remote_addr - $remote_user [$time_local] "$request" \'
                    \'$status $body_bytes_sent "$http_referer" \'
                    \'"$http_user_agent" "$http_x_forwarded_for" \'
                    \'$proxy_protocol_addr:$proxy_protocol_port\';

  access_log  /var/log/nginx/access.log main;
  error_log /var/log/nginx/error.log;

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;

	gzip off;

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}' >/etc/nginx/nginx.conf

echo 'server {
	listen 80 default_server;
	listen [::]:80 default_server;

	root /var/www/html;
	index index.html index.htm index.nginx-debian.html;
	server_name _;

	location / {
		try_files $uri $uri/ =404;
	}
}

server {
  listen [::]:443 ssl ipv6only=on;
  listen 443 ssl;
  server_name www.${hostAddr} ${hostAddr};
  root /var/www/html;
	index index.html index.htm index.nginx-debian.html;

  ssl_certificate /etc/letsencrypt/live/${hostAddr}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/${hostAddr}/privkey.pem;
  include /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

  include /usr/share/nginx/modules/*.conf;
  include /etc/nginx/conf.d/*.conf;

  location / {
  }

  error_page 404 /404.html;
    location = /40x.html {
  }

  error_page 500 502 503 504 /50x.html;
    location = /50x.html {
  }
}'>/etc/nginx/sites-enabled/default

echo
echo -e "${GREEN} Pemasangan nginx pakej telah selesai. ${RESET}"
echo
